Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOAP Workday Grant Access not working

umang28
Regular Contributor
Regular Contributor

‎12/08/2023 11:27 AM - last edited on ‎12/11/2023 01:19 PM by Community Manager

Hi, 

I have the following Grant Access JSON setup exactly how the workday SOAP connector provided and while the access task gets completed successfully the role is not getting provisioned to Workday. No errors in the logs as well. 

[{
"CONNECTION": "addRemoveAccess",
"REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:bsvc=\"urn:com.workday/bsvc\"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand=\"1\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"> <wsse:UsernameToken wsu:Id=\"UsernameToken-64DBF26FBA30D3CCB6146964280369918\"> <wsse:Username>${USERNAME}</wsse:Username> <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">${PASSWORD}</wsse:Password> <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">lLP+oysknDXxg0ZcnRTUXg==</wsse:Nonce> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <bsvc:Put_Assign_User-Based_Security_Groups_Request bsvc:version=\"v31.0\"> <bsvc:Assign_User-Based_Security_Groups_Data> ${com.saviynt.ecm.identitywarehouse.domain.Entitlement_values.findAllByEntitlement_valueInListAndEntitlementtypekey(allEntitlementMap.get('Security-Groups'), entTask.entitlement_valueKey.entitlementtypekey).findAll{it.entitlement_glossary?.equalsIgnoreCase('User-Based Security Group')}?.size() > 0 ? com.saviynt.ecm.identitywarehouse.domain.Entitlement_values.findAllByEntitlement_valueInListAndEntitlementtypekey(allEntitlementMap.get('Security-Groups'), entTask.entitlement_valueKey.entitlementtypekey).findAll{it.entitlement_glossary?.equalsIgnoreCase('User-Based Security Group')}.collect { '<bsvc:User-Based_Security_Group_Reference bsvc:Descriptor=\"?\"><bsvc:ID bsvc:type=\"Tenant_Security_Group_ID\">' + it.entitlementID + '</bsvc:ID></bsvc:User-Based_Security_Group_Reference>' }.join('') : '<bsvc:User-Based_Security_Group_Reference bsvc:Descriptor=\"?\"></bsvc:User-Based_Security_Group_Reference>'} <bsvc:Workday_Account_Reference bsvc:Descriptor=\"?\"> <bsvc:ID bsvc:type=\"System_User_ID\">${account.name}</bsvc:ID> </bsvc:Workday_Account_Reference> </bsvc:Assign_User-Based_Security_Groups_Data> </bsvc:Put_Assign_User-Based_Security_Groups_Request></soapenv:Body></soapenv:Envelope>"
}]  

 I used the same payload in postman and was able to provision a user based security group in workday. 

Thanks,

Umang
[This post has been edited by a Moderator to merge two posts.]

 

 

Labels:
Preview file
154 KB
0 Kudos
12 REPLIES 12

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎12/11/2023 09:58 PM - edited ‎12/11/2023 10:13 PM

Hello @umang28,

Is this a new implementation?
why are using Wokrday-Soap 1.0 not the Workday connector 2.0?  You should be using the workday connector 2.0 , if this is the new implementation as it provides more functionalities compare to workday 1.0
also you are passing the ${USERNAME} instead please try with '+USERNAME+' or ${user.username}.

Thanks

For Ref :- https://docs.saviyntcloud.com/bundle/WD2-v23x/page/Content/Provisioning.htm#top 

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

umang28
Regular Contributor
Regular Contributor
In response to sudeshjaiswal

‎12/12/2023 09:07 AM - edited ‎12/12/2023 09:45 AM

I am using the SOAP Workday connector 1.0 "Workday-SOAP" to support multiple endpoints in the CONNECTIONJSON. Could you provide a working body of the grant access JSON? When I use '+USERNAME+' I get an invalid username or password error

Thanks,

Umang

 

0 Kudos

umang28
Regular Contributor
Regular Contributor
In response to umang28

‎12/12/2023 12:52 PM

I tried the following way and got this error groovy.lang.MissingPropertyException: No such property: entitlementID for class: java.lang.String

[
{
"CONNECTION":"addRemoveAccess",
"REQUESTXML":"${user.employeeType != 'Employee' && user.employeeid != null && user.employeeid != '' ? ('<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:bsvc=\"urn:com.workday/bsvc\"> <soapenv:Header> <wsse:Security soapenv:mustUnderstand=\"1\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"> <wsse:UsernameToken wsu:Id=\"UsernameToken-64DBF26FBA30D3CCB6146964280369918\"> <wsse:Username>' +USERNAME + '</wsse:Username> <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">' +PASSWORD+'</wsse:Password> <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">lLP+oysknDXxg0ZcnRTUXg==</wsse:Nonce> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <bsvc:Put_Assign_User-Based_Security_Groups_Request bsvc:version=\"v38.2\"> <bsvc:Assign_User-Based_Security_Groups_Data> <bsvc:User-Based_Security_Group_Reference> <bsvc:ID bsvc:type=\"WID\">'+entitlement_value.entitlementid+'</bsvc:ID> </bsvc:User-Based_Security_Group_Reference> <bsvc:Workday_Account_Reference> <bsvc:ID bsvc:type=\"System_User_ID\">'+user.username+'</bsvc:ID> </bsvc:Workday_Account_Reference> </bsvc:Assign_User-Based_Security_Groups_Data> </bsvc:Put_Assign_User-Based_Security_Groups_Request> </soapenv:Body> </soapenv:Envelope>') : ''}",
"CUSTOM_CONFIG1":{
"WSCALLDELAYTIMESEC":"0",
"CONNECTTIMEOUTINSEC":"200",
"READTIMEOUTINSEC":"60"
}
}
]

How can we map the WID?

Thanks,

Umang

0 Kudos

sudeshjaiswal
Saviynt Employee
Saviynt Employee
In response to umang28

‎12/15/2023 07:26 AM

Hello @umang28,

Whats the bussiness use-case for the  multiple endpoints in the CONNECTIONJSON
As suggested earlier, Instead you may go with Workday connector 2.0. 

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

umang28
Regular Contributor
Regular Contributor
In response to sudeshjaiswal

‎12/15/2023 07:37 AM

Hi @sudeshjaiswal That is not possible since we have configured to manage the lifecycle of contingent workers in workday which includes creation, updates, terminations and re-hires while calling different operations/endpoints only supported by the Workday-SOAP connector. 

0 Kudos

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎12/12/2023 09:06 PM

Hello @umang28,

Please try with the below sample,

[
  {
    "CONNECTION": "login",
    "REQUESTXML": "
<soapenv:Envelope
	xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
	xmlns:bsvc=\"urn:com.workday/bsvc\">
	<soapenv:Header>
		<wsse:Security soapenv:mustUnderstand=\"1\"
			xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"
			xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">
			<wsse:UsernameToken wsu:Id=\"UsernameToken-64DBF26FBA30D3CCB6146964280369918\">
				<wsse:Username>${USERNAME}</wsse:Username>
				<wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">${PASSWORD}</wsse:Password>
				<wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">lLP+oysknDXxg0ZcnRTUXg==</wsse:Nonce>
			</wsse:UsernameToken>
		</wsse:Security>
	</soapenv:Header>
	<soapenv:Body>
		<bsvc:Put_Assign_User-Based_Security_Groups_Request bsvc:version=\"v31.0\">
			<bsvc:Assign_User-Based_Security_Groups_Data> ${com.saviynt.ecm.identitywarehouse.domain.Entitlement_values.findAllByEntitlement_valueInListAndEntitlementtypekey(allEntitlementMap.get('Security-Groups'), entTask.entitlement_valueKey.entitlementtypekey).findAll{it.entitlement_glossary?.equalsIgnoreCase('User-Based Security Group')}?.size() > 0 ? com.saviynt.ecm.identitywarehouse.domain.Entitlement_values.findAllByEntitlement_valueInListAndEntitlementtypekey(allEntitlementMap.get('Security-Groups'), entTask.entitlement_valueKey.entitlementtypekey).findAll{it.entitlement_glossary?.equalsIgnoreCase('User-Based Security Group')}.collect { '
				<bsvc:User-Based_Security_Group_Reference bsvc:Descriptor=\"?\">
					<bsvc:ID bsvc:type=\"Tenant_Security_Group_ID\">' + it.entitlementID + '</bsvc:ID>
				</bsvc:User-Based_Security_Group_Reference>' }.join('') : '
				<bsvc:User-Based_Security_Group_Reference bsvc:Descriptor=\"?\"></bsvc:User-Based_Security_Group_Reference>'} 
				<bsvc:Workday_Account_Reference bsvc:Descriptor=\"?\">
					<bsvc:ID bsvc:type=\"System_User_ID\">${account.accountID}</bsvc:ID>
				</bsvc:Workday_Account_Reference>
			</bsvc:Assign_User-Based_Security_Groups_Data>
		</bsvc:Put_Assign_User-Based_Security_Groups_Request>
	</soapenv:Body>
</soapenv:Envelope>"
  }
]

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

umang28
Regular Contributor
Regular Contributor
In response to sudeshjaiswal

‎12/13/2023 02:31 PM

Hi @sudeshjaiswal 

I tried the same and provided the details initially when creating this post. Few other ways I tried were either by binding the variables, hardcoding them in the payload, working payload from postman but all resulted in getting the Provisioning Metadata as an empty string (logs attached). Although it was able to do the entitlements mapping correctly.

The create, enable, update, disable JSONS are configured and works perfectly fine but the grant access is causing the role provisioning in PROD not to work and would need a quick resolution.

Could you also let me know where the '+it.entitlementID+' value is getting pulled from? Attaching couple of different JSONS I tried for your reference. Let me know if we can get on a call too?

Thanks,

Umang

Preview file
8 KB
Preview file
59 KB
0 Kudos

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎12/13/2023 10:45 PM

Hello @umang28,

Can you please confirm if you are getting the Security_Group_Type in the entitlment glossary, if not which attribute you have mapping this information in the Access Import.

You will have to use that attribute in below highlighted attribute.
entTask.entitlement_valueKey.entitlementtypekey).findAll{it.entitlement_glossary?.equalsIgnoreCase('User-Based Security Group')}?.size() > 0 ? com.saviynt.ecm.identitywarehouse.domain.Entitlement_values.findAllByEntitlement_valueInListAndEntitlementtypekey(allEntitlementMap.get('Security-Groups'), entTask.entitlement_valueKey.entitlementtypekey).findAll{it.entitlement_glossary?.equalsIgnoreCase('User-Based Security Group')}.collect {

You need the replace the atttibute with the exact mapping you have mentioned in the accessimport.

Also would like to confirm if you "Tenant_Security_Group_ID"  is infact mapped to entitlementID in saviynt. Please check in the access import mapping.


Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

umang28
Regular Contributor
Regular Contributor
In response to sudeshjaiswal

‎12/14/2023 09:47 AM - edited ‎12/14/2023 01:17 PM

Hi @sudeshjaiswal 

Groups are imported through the RAAS API. Yes, I believe it is pulling that data from the entitlement_values table right? Here are the specific details of the group:

umang28_0-1702573996007.png

Data seems to be correct, hence, it was able to pull the Existing Entitlements, Existing Entitlements Map and allEntitlementMap. If I set an incorrect entitlementID value in the entitlementID column, it does not throw any validation error but if hardcode an incorrect entitlementID in the payload it then throws the validation error as expected (logs). Plus hardcoding the correct entitlementID in the payload should be straight forward in provisioning the group but it doesn't seem to like anything. 

Could you also let me know the location where the default payloads of each JSONs of the workday connector are defined on the server?

Thanks,

Umang

 

 

Preview file
165 KB
0 Kudos

gauravchandok
New Contributor III
New Contributor III

‎12/19/2023 01:41 AM

Hi Umang,

Were you able to resolve it?

Thanks

0 Kudos

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎12/20/2023 01:06 AM - edited ‎12/20/2023 01:43 AM

Hello @umang28 ,

Can you please provide the account ,access import connection parameters.

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

umang28
Regular Contributor
Regular Contributor
In response to sudeshjaiswal

‎12/20/2023 12:19 PM

Hi @sudeshjaiswal @gauravchandok  The payload is indeed working after I got a confirmation from Workday that the group was provisioned, however, while I was running the import job _SAV_AccountsToSecurityGroups_ , all the groups were getting removed from the user in Saviynt due to the incorrect data. 

We are using the Hybrid workday connector 2.0 for importing purposes and based on the documentation: Non-editable Default Access Mapping are as follows:

{
  "Security Group": {
    "ImportMapping": {
      "ENTITLEMENTID": "wd:Security_Group.wd:ID[0].content~#~char",
      "ENTITLEMENT_VALUE": "wd:Security_Group.wd:Descriptor~#~char",
      "ENTCLASS": "wd:Security_Group_Type.wd:Descriptor~#~char",
      "STATUS": "wd:Inactive~#~char"
    }
  },

Which means ENTITLEMENTID should be mapped to WID type and not the Tenant_Security_Group_ID which is incorrectly mentioned in the default payload of the connector.

Thanks,

Umang

0 Kudos
Copyright © 2024 Khoros, LLC